All of lore.kernel.org
 help / color / mirror / Atom feed
From: Mimi Zohar <zohar@linux.vnet.ibm.com>
To: David Howells <dhowells@redhat.com>
Cc: Marcel Holtmann <marcel@holtmann.org>,
	Tadeusz Struk <tadeusz.struk@intel.com>,
	dwmw2@infradead.org, keyrings@vger.kernel.org,
	linux-crypto@vger.kernel.org,
	linux-security-module@vger.kernel.org,
	Petko Manolov <petkan@mip-labs.com>,
	"Mark D. Baushke" <mdb@juniper.net>
Subject: Re: [RFC] KEYS: Exposing {a,}symmetric key ops to userspace and other bits
Date: Sun, 22 Nov 2015 09:41:51 -0500	[thread overview]
Message-ID: <1448203311.2546.34.camel@linux.vnet.ibm.com> (raw)
In-Reply-To: <23924.1448017665@warthog.procyon.org.uk>

On Fri, 2015-11-20 at 11:07 +0000, David Howells wrote:
> Hi Marcel, Mimi, Tadeus,
> 
> I want to consider adding or doing the following bits to the keyrings
> facility, aiming for the next merge window:
> 
>  (*) Bring in the patches that I posted to change how the trust model on a
>      keyring works.
> 
>      The model will then be that keys aren't automatically marked trusted, but
>      linking a key into a keyring that is marked trusted-only will validate
>      the key against the contents of the keyring before permitting its
>      addition.

This trust model is flawed.   We've already discussed this trust model
back when first introducing the concept of a trusted keyring.   Refer to
the v3 "ima: extending secure boot certificate chain of trust" patch set
https://lwn.net/Articles/576563/, which describes two methods of
verifying a certificate before adding the key to the trusted keyring.  

The first method  "4/5 KEYS: verify certificate is signed by a trusted
key on the target keyriing" is similar to the method being proposed
here.  The subsequent patch "5/5 KEYS: verify certificate is signed by a
trusted key on a particular keyring" rejected using the same keyring for
validating the new key being added.  It defined a new separate keyring
for validating the keys.  (Neither of these patches were upstreamed.)

Dmitry Kasatkin proposed a third method, which identified the "trusted"
key(s) on the system keyring, instead of maintaining a separate keyring.
As there wasn't a usecase requiring a separate keyring at the time, his
approach was upstreamed.  Now Petko Manoliv and Mark Bausche  have a
valid use case scenario for having a separate keyring.  (For the details
refer to:
https://www.mail-archive.com/linux-security-module@vger.kernel.org/msg03503.html)

With the proposed trust model change, the keys trusted to verify file
signatures would be allowed to also verify certificate signatures.  For
example, a system owner trusts company A to verify file signatures, yet
they want to retain control over which certificates may be added to the
keyring.  Just because company A trusts company/government X, doesn't
mean the system owner also trusts company/government X.   By having one
keyring, other certificates signed by company A could be added to the
keyring.

>      Note that we can then vary the policy on a per-keyring basis.
> 
>  (*) Add Mimi's patches to allow keys/keyrings to be marked undeletable.  This
>      is for the purpose of creating blacklists and to prevent people from
>      removing entries in the blacklist.  Note that only the kernel can create
>      a blacklist - we don't want userspace generating them as a way to take up
>      kernel space.
> 
>      I think the right way to do this is to not allow marked keys to be
>      unlinked from marked keyrings, but to allow marked keys to be unlinked
>      from ordinary keyrings.
> 
>      The reason the 'keep' mark is required on individual keys is to prevent
>      the keys from being directly revoked, expired or invalidated by keyctl
>      without reference to the keyring.  Marked keys that are set expirable
>      when they're created will still expire and be subsequently removed and if
>      a marked key or marked keyring loses all its references it still gets
>      gc'd.

Agreed.  I'll fix and re-post soon.

Mimi

  reply	other threads:[~2015-11-22 14:42 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-11-20 11:07 [RFC] KEYS: Exposing {a,}symmetric key ops to userspace and other bits David Howells
2015-11-22 14:41 ` Mimi Zohar [this message]
2015-12-02 19:27   ` Mimi Zohar

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1448203311.2546.34.camel@linux.vnet.ibm.com \
    --to=zohar@linux.vnet.ibm.com \
    --cc=dhowells@redhat.com \
    --cc=dwmw2@infradead.org \
    --cc=keyrings@vger.kernel.org \
    --cc=linux-crypto@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=marcel@holtmann.org \
    --cc=mdb@juniper.net \
    --cc=petkan@mip-labs.com \
    --cc=tadeusz.struk@intel.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.